These links are being provided as a convenience and for informational purposes only; they do not constitute an endorsement or an approval me. I’m not responsibility for the accuracy, legality or content of the external site or for that of subsequent links. Contact the external site for answers to questions regarding its content.

Microsoft Entra Management and Security Tools

🧰 PowerShell Modules and other Management Tools

Name Description from Project/Repo page Repository Project page/Blog
AzureAD Azure Active Directory PowerShell for Graph (Azure AD PowerShell) is a module IT Pros commonly use to manage their Azure Active Directory. The cmdlets in the Azure AD PowerShell module enable you to retrieve data from the directory, create new objects in the directory, update existing objects, remove objects, as well as configure the directory and its features. ⚠️This module is planned for deprecation. For more details on the deprecation plans, see the deprecation update PowerShell Gallery: AzureAD AzureAD Module
Azure AD application secret rotator for Azure web sites Azure AD App Secret Manager automates the rotation of your Azure web sites secrets integrated with user approval and notification in Microsoft Teams Azure/AzureAD-AppSecretManager  
AzureADExporter The Azure AD Exporter is a PowerShell module that allows you to export your Azure AD and Azure AD B2C configuration settings to local .json files. This module can be run as a nightly scheduled task or a DevOps component (Azure DevOps, GitHub, Jenkins) and the exported files can be version controlled in Git or SharePoint. microsoft/azureadexporter  
Azure AD Toolkit The Azure AD Toolkit is a PowerShell module that providers helper cmdlets to manage the credentials of your application or service principal. microsoft/AzureADToolkit  
AzADServicePrincipalInsights Insights and change tracking on Azure Active Directory Service Principals (Enterprise Applications and Applications) JulianHayward/AzADServicePrincipalInsights  
AzureADAssessment The Azure AD Governance Assessment module runs an analysis of guest users and their permissions in a tenant. AzureAD/AzureADAssessment AzureADAssessement and PowerBI Reports (icewolf.ch)
Azure AD Governance Assessment Tooling for assessing an Azure AD tenant state and configuration AzureAD-Governance-Assessment AzureADAssessement and PowerBI Reports (icewolf.ch)
Azure AD B2C Custom Policy Manager This is a sample management tool for B2C Custom Policies. Custom policy allows you to customize every aspect of the authentication flow. azure-ad-b2c/custom-policy-manager  
Azure AD B2C Load Tests This sample intends to show how to create and run a load test of Azure AD B2C user flows and custom policies (including dependencies), and evaluate the results using the Azure Load Testing Service. Use this sample to perform a load test and determine your web application and B2C flows behavior under anticipated peak load conditions, identify bottlenecks and determine which element is causing degradation. azure-ad-b2c/load-tests  
Azure AD Connect Configuration Documenter AAD Connect configuration documenter is a tool to generate documentation of an Azure AD Connect installation. Currently, the documentation is only limited to the Azure AD Connect sync configuration. microsoft/AADConnectConfigDocumenter  
AzureAuth CLI wrapper for performing AAD Authentication. It makes use of MSAL for authentication and MSAL Extensions for caching. The CLI is designed for authenticating and returning an access token for public client AAD applications. This acts like a credential provider for Azure Devops and any other public client app. AzureAD/microsoft-authentication-cli  
CA Optics - Azure AD Conditional Access Gap Analyzer Azure AD Conditional Access Gap Analyzer is a solution for scanning gaps that might exist within complex Azure Active Directory Conditional Access Policy setups. jsa2/caOptics  
DCToolbox A PowerShell toolbox for Microsoft 365 security fans. DanielChronlund/DCToolbox DCToolbox PowerShell Module for Microsoft 365 Security, Conditional Access Automation, and more
EasyPIM EasyPIM is a PowerShell module created to help you manage Microsof Entra Privileged Identity Management (PIM). Packed with more than 30 cmdlets, EasyPIM leverages the ARM and Graph APIs to let you configure PIM Azure Resources, Entra Roles and groups settings and assignments in a simple way . kayasax/EasyPIM  
Fortigi ConditionalAccess This solution consists of powershell functions, bundled in a module to help automate and regulate Conditional Access deployment and maintance. Fortigi/ConditionalAccess  
Maester Monitor your Microsoft 365 tenant’s security configuration using Maester! Maester is a PowerShell-based test automation framework designed to help you monitor and maintain the security configuration of your Microsoft 365 environment. maester365/maester Get started - Maester.dev Videos: Microsoft365DSC YouTube Channel Video: Introducing Maester: Your Microsoft 365 test automation framework by Merill Fernando
IdentityProtectionTools The Identity Protection Tools PowerShell module contains sample functions for enumerating Risky Users by RiskLevel and date when their risk was last updated, Dismissing Risk for selected users for bulk operations, confirming Compromise for selected users for bulk operations. AzureAD/IdentityProtectionTools  
Microsoft365DSC This module allows organizations to automate the deployment, configuration, reporting and monitoring of Microsoft 365 Tenants via PowerShell Desired State Configuration. The compiled configuration needs to be executed from an agent’s Local Configuration Manager (LCM) (machine or container) which can communicate back remotely to Microsoft 365 via remote API calls (therefore requires internet connectivity). microsoft/Microsoft365DSC Introduction - M365DSC.com Videos: Microsoft365DSC YouTube Channel
Microsoft Graph SDK The Microsoft Graph PowerShell SDK is a collection of PowerShell modules that contain commands for calling Microsoft Graph service. microsoftgraph/msgraph-sdk-powershell Microsoft Graph PowerShell SDK overview Samples: Graph PowerShell Samples Community
Microsoft Graph Developer Proxy Microsoft Graph Developer Proxy is a command line tool for testing Microsoft Graph and other APIs. microsoftgraph/msgraph-developer-proxy Introducing the Microsoft Graph Developer Proxy community preview
Microsoft Cloud Group Analyzer For Microsoft Cloud admins who struggle to keep track of where Entra ID groups are used, Group Analyzer is an opensource script that provides instant insights in what services/policies/… a given group or user is scoped to. asperbaes/Microsoft-Cloud-Group-Analyzer  
Microsoft Identity Tools PowerShell Module The Microsoft Identity Tools PowerShell module provides various tools for performing enhanced Identity administration activities. It is intended to address more complex business scenarios that can’t be met solely with the use of MS Graph PowerShell SDK module. AzureAD/MSIdentityTools  
Microsoft Identity DotNet Analyzers Contains static analyzers to detect bad practices in the usage of .NET authentication libraries AzureAD/microsoft-identity-dotnet-analyzers  
MSAL.PS The MSAL.PS PowerShell module wraps MSAL.NET functionality into PowerShell-friendly cmdlets and is not supported by Microsoft. Microsoft support does not extend beyond the underlying MSAL.NET library. AzureAD/MSAL.PS Microsoft Graph using MSAL with PowerShell - darrenjrobinson
PIMScan Tool for creating reports on Entra ID Role Assignments canix1/PIMSCAN  
PSMSGraphBatchRequest The MSGraphBatchRequest PowerShell module provides a convenient way to transform data into Microsoft Graph Batch Requests by converting PowerShell objects to JSON with proper schema validation. PSMSGraphBatchRequest  
SCuBA M365 Security Baseline Assessment Tool Developed by CISA, this assessment tool verifies that an M365 tenant’s configuration conforms to the policies described in the SCuBA Minimum Viable Secure Configuration Baseline documents. cisagov/ScubaGear  
Terraform Provider for Azure Active Directory The Azure Provider can be used to configure infrastructure in Azure Active Directory using the Microsoft Graph API. hashicorp/azuread - Terraform Registry Docs overview

🛡️ Security Research Tools

Name Description from Project/Repo page Repository Project page/Blog
AADInternals AADInternals is PowerShell module for administering Azure AD and Office 365 Gerenios/AADInternals: AADInternals AAD Internals (aadinternals.com)
Azure AD Incident Response PowerShell Module The Azure Active Directory Incident Response PowerShell module provides a number of tools, developed by the Azure Active Directory Product Group in conjunction with the Microsoft Detection and Response Team (DART), to assist in compromise response. AzureAD/Azure-AD-Incident-Response-PowerShell-Module  
Entra ID Security Config Analyzer (EIDSCA) Logic App solution to ingest configuration data of Azure AD to Log Analytics for monitoring and strengthen identity security posture. Cloud-Architekt/AzureAD-Attack-Defense  
azbelt Standalone DLL and sliver extension for enumerating Azure related credentials, primarily on AAD joined machines daddycocoaman/azbelt  
AppTotal Analyze suspicious OAuth apps, browser extensions and SaaS add-ons to detect harmful apps, risky permissions and other security issues. AppTotal.io  
AzureHound The BloodHound data collector for Microsoft Azure BloodHoundAD/AzureHound Automating Things 0x01 – AzureHound for blue teams
AzTokenFinder Is a small tool to extract JWT (or JWT like looking data) from different processes, like PowerShell, Excel, Word or others. HackmichNet/AzTokenFinder  
AzureRT Helpful utilities dealing with access token based authentication, switching from Az to AzureAD  and az cli interfaces, easy to use pre-made attacks such as Runbook-based command execution and more. mgeeky/AzureRT: AzureRT  
BadZure BadZure is a PowerShell script that leverages the Microsoft Graph SDK to orchestrate the setup of Azure Active Directory tenants, populating them with diverse entities while also introducing common security misconfigurations to create vulnerable tenants with multiple attack paths. mvelazc0/BadZure  
Bloodhound BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment. BloodHoundAD/BloodHound BloodHound: Six Degrees of Domain Admin
BloodHound Attack Research Kit /BARK) BARK stands for BloodHound Attack Research Kit. It is a PowerShell script built to assist the BloodHound Enterprise team with researching and continuously validating abuse primitives. BARK currently focuses on Microsoft’s Azure suite of products and services. BloodHoundAD/BARK: BloodHound  
CrowdStrike Reporting Tool for Azure (CRT) This tool queries the following configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments. CrowdStrike/CRT/CRT  
Forest Druid Free Tier 0 attack path discovery tool for Active Directory environments by Semperis Forest Druid Closing Attack Paths to Tier 0 Assets with Forest Druid
GraphRunner Post-exploitation toolset for interacting with the Microsoft Graph API. It provides various tools for performing reconnaissance, persistence, and pillaging of data from a Microsoft Entra ID (Azure AD) account. dafthack/GraphRunner Introducing GraphRunner: A Post-Exploitation Toolset for Microsoft 365
GraphSpy Initial Access and Post-Exploitation Tool for AAD and O365 with a browser-based GUI RedByte1337/GraphSpy GraphSpy – The swiss army knife for attacking M365 & Entra
MAAD Attack Framework MAAD-AF is an open-source cloud attack tool developed for testing security of Microsoft 365 & Azure AD environments through adversary emulation. MAAD-AF provides security practitioners easy to use attack modules to exploit configurations across different M365/AzureAD cloud-based tools & services. vectra-ai-research/MAAD-AF  
Mandiant Azure AD Investigator This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. Some indicators are “high-fidelity” indicators of compromise, while other artifacts are so called “dual-use” artifacts. Dual-use artifacts may be related to threat actor activity, but also may be related to legitimate functionality. mandiant/Mandiant-Azure-AD-Investigator  
MicroBurst MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping. It is intended to be used during penetration tests where Azure is in use. NetSPI/MicroBurst Various blog posts on: https://www.netspi.com/blog/
Monkey365 Monkey365 is an Open Source security tool that can be used to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews without the significant overhead of learning tool APIs or complex admin panels from the start. To help with this effort, Monkey365 also provides several ways to identify security gaps in the desired tenant setup and configuration. Monkey365 provides valuable recommendations on how to best configure those settings to get the most out of your Microsoft 365 tenant or Azure subscription. silverhack/monkey365  
ROADtools ROADtools is a framework to interact with Azure AD. It currently consists of a library (roadlib) and the ROADrecon Azure AD exploration tool. dirkjanm/ROADtools Introducing ROADtools - The Azure AD exploration framework - dirkjanm.io
PurpleKnight Semperis built Purple Knight—a free AD and Azure AD security assessment tool—to help you discover indicators of exposure (IoEs) and indicators of compromise (IoCs) in your hybrid AD environment. PurpleKnight Community Purple Knight Introduces Azure AD Security Indicators
RedCloud OS RedCloud OS is a Debian based Cloud Adversary Simulation Operating System for Red Teams to assess the security of leading Cloud Service Providers (CSPs). It includes tools optimized for adversary simulation tasks within AWS, Azure and GCP. RedTeamOperations/RedCloud-OS  
onedrive_user_enum Python script to enumerate valid OneDrive users nyxgeek/onedrive_user_enum TrustedSec - OneDrive to enum them all
SimuLand SimuLand is an open-source initiative by Microsoft to help security researchers around the world deploy lab environments that reproduce well-known techniques used in real attack scenarios, actively test and verify effectiveness of related Microsoft 365 Defender, Azure Defender and Microsoft Sentinel detections, and extend threat research using telemetry and forensic artifacts generated after each simulation exercise. Azure/SimuLand SimuLand: Understand adversary tradecraft and improve detection strategies - Microsoft Security Blog
Stormspotter Stormspotter creates an “attack graph” of the resources in an Azure subscription. It enables red teams and pentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders to quickly orient and prioritize incident response work. Azure/Stormspotter  
SkyArk SkyArk currently focuses on mitigating the new threat of Cloud Shadow Admins, and helps organizations to discover, assess and protect cloud privileged entities. Stealthy and undercover cloud admins may reside in every public cloud platform and SkyArk helps mitigating the risk in AWS and Azure. cyberark/SkyArk  
TeamFiltration TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts. Flangvik/TeamFiltration  
TokenMan Token Man is a tool for supporting post-exploitation activities using AAD access and/or refresh tokens. secureworks/TokenMan  
TokenTactics Azure access tokens allow you to authenticate to certain endpoints as a user who signs in with a device code. Even if they used multi-factor authentication. Once you have a user’s access token, it may be possible to access certain apps such as Outlook, SharePoint, OneDrive, MSTeams and more. For instance, if you have a Graph or MSGraph token, you can then connect to Azure and dump users, groups, etc. You could then, depending on conditional access policies, switch to an Azure Core Management token and run AzureHound. Then, switch to an Outlook token and read/send emails or MS Teams and read/send teams messages! rvrsh3ll/TokenTactics  
TokenTactics v2 A fork of TokenTactics with support for CAE and token endpoint v2. Detailed output for Parse-JWTtoken to display related information for longer-lived (CAE-capable) tokens. f-bader/TokenTacticsV2 Continuous access evaluation - CloudBrothers.info
Vajra Vajra is a UI based tool with multiple techniques for attacking and enumerating in target’s Azure environment. Vajra presently supports Azure and AWS Cloud environments, with plans to add support for Google Cloud Platform and certain OSINT in the future. TROUBLE-1/Vajra  

🪄 Postman Collections

Collection Name Link to Collection/Fork Documentation
Azure AD v2.0 Protocols Collection for Authentication Flows Microsoft identity platform and OAuth 2.0
Microsoft Graph API Microsoft Graph Collection Use Postman with the Microsoft Graph API
Microsoft Threat Protection Microsoft-Threat-Protection/Postman at master · richlilly2004  
Verified ID VerifiedID Request API, VerifiedID Admin API active-directory-verifiable-credentials/Postman

🧑‍💻 Visual Studio Code Extensions

Extension Name Description from Project/Repo page Project repository Marketplace
Azure AD B2C The Azure AD B2C extension for VS Code lets you quickly navigate through Azure AD B2C custom policies. Create elements like technical profiles and claim definitions. For more information, see Get started with custom policies. azure-ad-b2c/vscode-extension Azure AD B2C
MS Graph Completion This VSCode extension allows you to auto-complete the Microsoft Graph API URLs you are writing. You get the most useful Microsoft Graph Explorer functionality in your favorite editor. estruyf/vscode-msgraph-autocomplete MS Graph Completion




Image by StockSnap from Pixabay